Cart66 released a new version this morning, addressing the vulnerability I posted about yesterday. A one-day turn-around to address a security issue is excellent (even if the stink from 9 months of inattention hasn’t fully dissipated yet). I’m disappointed I had to resort to a public warning to get action but glad that action was taken (and glad to see the Cart66 folks making the right general noises about the importance of security).
While I’m glad a new version is out to address the vulnerability, I think it was a mistake to release any information about the nature of the exploit today (the same day that the fix is available). I would have favored:
- Release the new version with the explanation that this fixes a security vulnerability and everyone should upgrade right away.
- Wait for a week to allow your customers time to upgrade.
- Then release the details of the exploit.
As a customer, I’m surprised I haven’t (as of this writing) received a notification warning me of the vulnerability and urging me to upgrade.1 I believe it’s the responsibility of a software provider to reach out to their customers to warn them about security issues before disclosing the details of them publicly.
Cart66 has already generally disclosed what the vulnerability is, but they didn’t go into much detail about how it could be exploited. The “black hat” folks will likely figure it out anyway, but I’m going to hold off sharing any details of it until next week. I think it is appropriate to outline how this can be exploited to help provide some context to Cart66 customers, but I don’t want to be the one making it more likely that people will exploit the vulnerability on their sites.
While I am generally willing to take the explanation of how this vulnerability was allowed to remain unaddressed for such a long time at face value, I also believe this shows a fundamental lack of emphasis on security throughout the Cart66 organization. Someone received my email, replied that this was already a known problem, then nothing happend. Who knows, perhaps the people involved with that response aren’t even with the company anymore, but I’m pretty darn sure that this wouldn’t happen in my shop. A security vulnerability is a “Drop everything, get it patched and get a new release out. NOW!” situation. I will take them at their word that they are working to address this internally, but I’m still not comfortable with what their response (or lack thereof) says about their culture.
If I were advising the Cart66 team, I would tell them they need to take additional steps to make it clear to their customers that they are taking security seriously. I would recommend hiring Mark Jaquith (or another reputable consultant or firm) to do a full security audit of their code and product architecture.
I would also create and publish a process by which developers can responsibly submit security concerns, patches, etc. This should be easy to find on the Cart66 website.
Lastly, I would establish the process by which security issues are communicated to customers (a mailing list, or similar). In the case of responsibly disclosed vulnerabilities, this should include giving customers reasonable time to upgrade before publishing any details of an exploit.
All software has bugs, and some of these bugs have security ramifications. How you deal with them (and how you work with your customers when they are found) is what builds or destroys your reputation.
- I did receive an email response to my ticket about the new release, but that didn’t go to all customers ↩
[…] UPDATE: Please see this follow-up post. […]
[planet wordpress]: Alex King: Cart66 Vulnerability Follow-up: Cart66 released a new version this morning, addre… http://t.co/Zp5VCFRt
Alex King: Cart66 Vulnerability Follow-up http://t.co/fFXGMMhL
Alex King: Cart66 Vulnerability Follow-up http://t.co/gTuh0ljP #wordpress
Cart 66 is updated. They didn’t email their users, though, so pass it on: http://t.co/HVSSPf2B
Cart66 is now updated. Year old vulnerability has been fixed. Please update all your installs. http://t.co/gb1uErV1
Alex King: Cart66 Vulnerability Follow-up: Cart66 released a new version this morning, addressing the vulnerabil… http://t.co/dlX1Ko8s
Alex King: Cart66 Vulnerability Follow-up – Cart66 released a new version this morning, addressing the vulnerability… http://t.co/qnnuiI3N
New on @alexkingorg: Cart66 Vulnerability Follow-up http://t.co/unOSjy8g
I’m glad they fixed this, but there is no excuse for this at all. And TOTALLY retarded to NOT email users. And also why talk about the error until you give your users a chance to fix it.
Now, knowing Alex has a lot of followers, he was able to get their attention. What about the no name blogger that finds an error like this and posts. No one gives a shit. These people really need to step up their game.
Wow, that’s horrible! I think this speaks horribly about the Cart66 team. If they let an issue like this last for almost a year and were only moved to action after a public outing, then who knows what other problems they might have or might not solve until publicly outed.
Last fall I discovered a massive security flaw in one of the WooCommerce payment gateway extensions. I reached out to Mike Jolley privately over GitHub, explained the problem and they released a fix for it within 48 hours.
WooCommerce definitely understands security, but Cart66? Meh.